Networking - 5. page

Recently, my parents upgraded from AT&T’s old ADSL, to the new “UVerse” ADSL2+. With it came a new Motorola NVG510 UVerse all-in-one router / wireless access point / ADSL2+ modem combo. In my opinion, it’s routing and wireless abilities are total crap. Long ago I installed a Linksys WRT54G router that has been flashed with DD-WRT. This allows bandwidth monitoring, proper port forwarding, and also gives me the ability to connect via VPN remotely to help them out with problems on rare occasion. After their new Motorola UVerse modem was installed, my first order of business was to strip it of all routing and wireless functions, and make it just a router. On the old Novatel modems, this was called IP Passthrough, and pretty easy to set up. Now it’s changed and can take a little finesse to set up.

How to enable IP Passthrough on the Motorola NVG510 UVerse Gateway

I assume you already have a router to connect you NVG510 to. Go ahead and connect the routers WAN port to one of the LAN ports on the UVerse modem. You will need the MAC address of the WAN port on your router. You can usually find this on a sticker on the bottom of the unit. I’m going to pretend mine is AB:CD:EF:GH:IJ:KM for the scope of this article.

The router you are adding needs to have a LAN address that is not on the 192.168.1.x subnet. If you absolutely must have your router on that subnet, you can change the IP/subnet of the NVG510. If you need help with that, post in the comments and I would be glad to lend a hand.

With you computer connect to one of the LAN ports on the NVG510, navigate to the configuration page. By default it is http://192.168.1.254. You will see this page:

It a lab environment, and very limited production scenarios, it’s often very useful to open all ports, TCP and UDP, but only to certain IP addresses, subnets, or IP address ranges. I have found very little info on this specifically, so I thought I would whip up this guide so you know an easy way to open up all ports for specific addresses. This will work on VMware ESXi 5, 5.1 and 5.5 for sure, but it will most likely work for most versions of ESXi, although I have not tested it. Please let me know if the comments if you have luck on non 5.x versions, specifically 4.x and 6.x.

Basically, we are going to create 4 firewall rules, each does the following:

Open all UDP ports inbound (ports 1-60,000).

Open all UDP ports outbound (ports 1-60,000).

Open all TCP ports inbound (ports 1-60,000).

Open all TCP ports outbound (ports 1-60,000).

Once that’s done we’ll lock access down to a specific address(s) via the vSphere Client. First, go ahead and SSH into your ESXi host. Once you are at a command prompt you will need to edit /etc/vmware/firewall/service.xml. I prefer nano, but that’s not available on ESXi, so we have to use VI. First, lets make a backup of the file and change permissions so we can edit the file.

Now we have a backup of the service.xml file, called service.xml.bak. We have also allowed writes to service.xml and toggled the sticky bit. Lets go ahead and open service.xml with vi.

# vi /etc/vmware/firewall/service.xml

The service.xml file is the main template for firewall rules, specifically pertaining to ports. It is what populates all of the available information on the Security Profile > Firewall tab in the vSphere Client. It is here we are going to add our four rules. If you are unfamiliar with vi, it can be a big confusing. Here are some pointers for you:

When you first enter vi, you cannot manipulate any text. to do so, hit the “i” key. This puts you in “insert” mode.

Once selecting “i” you can move about freely and add/edit at will.

After making all needed changes, press the “ESC” key, the “:” – This puts you in vi command mode.

At the “:” prompt, enter “w” (for write) and q (for quit) and then press enter. So it should look like this :wq

When I finally got a Windows Server 2012 image built and deployed on OpenStack, I started having some seriously squirrely problems with networking. I was able to ping and resolve DNS. I was even able to browse network shares on other servers that were well up the chain outside of the virtual environment, but I was unable to actually browse the internet from the Windows Server 2012 instance on OpenStack. I was having no issues with Linux based images.

I immediately suspected MTU as the culprit. I double check my neutron-dnsmasq.conf file to make sure the MTU was set at 1454, via DHCP configuration. It was. So, I checked the MTU settings on the Windows image and it was in fact 1500. For some reason the DHCP option was not having any effect on the Windows image. This is supposed to be addressed by the CloudBase VirtIO driver, allowing the MTU to be set via DHCP in OpenStack environments, but it obviously wasn’t working. You can check your MTU by doing the following:

Open an Administrator command prompt.

netsh interface ipv4 show interfaces

This will show you your current MTU settings. Pay close attention to the Idx # of the ethernet interface. You will need this information to change the MTU. To change the MTU to 1454 use this command. (you will need to replace the “10” with the Idx for your ethernet interface)

If you’ve read my other recent posts, you’ve probably notice I’ve been spending a lot of time with different cloud architectures. My previous guide on using DevStack to deploy a fully functional OpenStack environment on a single server was fairly involved, but not too bad. I’ve read quite a bit about Ubuntu OpenStack and it seems that Canonical has spent a lot of energy development their spin on it. So, now I want to set up Ubuntu OpenStack. All of Ubuntu’s official documentation and guides state a minimum requirement of 7 machines (server). However, although I could probably round up 7 machines, I really do not want to spend that much effort and electricity. After scouring the internet for many hours, I finally found some obscure documentation stating that Ubuntu OpenStack could in fact be installed on a single machine. It does need to be a pretty powerful machine; the minimum recommended specifications are:

8 CPUs (4 hyperthreaded will do just fine)

12GB of RAM (the more the merrier)

100GB Hard Drive (I highly recommend an SSD)

With the minimum recommended specs being what they are, my little 1u server may or may not make the cut, but I really don’t want to take any chances. I’m going to use another server, a much larger 4u, to do this. Here are the specs of the server I’m using:

Supermicro X7DAL Motherboard

Xeon W5580 4 Core CPU (8 Threads)

12GB DDR3 1333MHz ECC Registered RAM

256GB Samsung SSD

80GB Western Digital Hard Drive

I have installed Ubuntu 14.04 LTS, with OpenSSH Server being the only package selected during installation. So, if you have a machine that is somewhat close to the minimum recommended specs, go ahead and install Ubuntu 14.04 LTS. Be sure to run a sudo apt-get upgrade before proceeding.

Lets Get Started

First, we need to add the OpenStack installer ppa. Then, we need to update app. Do the following:

MailCleaner is a nice Open Source Linux distribution that creates a spam filter appliance. It is designed to sit in between an email server and the internet and filter spam out of email using advanced rules, DNS RBL (realtime black list), and many other techniques. It also scans email for viruses. Although I no longer use MailCleaner (I have replaced it with ScrollOut F1), I remember coming across a big issue in the past that took me some time to figure out, so I thought I would share it.

Because MailCleaner is more or less an appliance, most aspects of the operating system are controlled by MailCleaner. A majority of the settings you need to change are easily available on the web interface, however firewall rules are not. MailCleaner is designed so that it manages all IPTables rules. If you manually add an IPTables rule from the command line, once it’s reloaded or the system is reboot, the rule is gone. That is because MailCleaner wipes out and reloads IPTables rules from data stored in its MySQL database. So, in order to open any additional ports, you must modify the database. I encountered this dilemma when I installed a remote monitoring client (the Nagios based Check_MK to be exact), and needed to open a port to allow the monitoring server to connect.

Lets assume I need to open up SSH (port 22) and RSYNC (port 873) and I only want my mail server’s IP, 1.2.3.4, to connect. Normally we would enter the following iptables commands:

But in this case, we cannot. The good news is the MailCleaner will do it for you if you add the correct info into the MySQL database. Here’s how you do that (from a command prompt on the MailCleaner server):

I always come across pages, links, and things that I don’t want to forget about, and I want to share with the world. So, I decided to create a post with nothing but links. From time to time I will update this post with new links. I’ve tried to categorize everything as much as possible. Be sure to hit the break below to get the full list. Enjoy!

This is a how to on installing Fail2Ban on CentOS 7. Fail2Ban is an incredibly useful, and often necessary, package that will automatically block IP addresses attempting to brute-force attack your server(s). For instance, with Fail2Ban installed, if an IP address attempts to brute-force login user “root” on your server, one a certain number of attempted logins is reached within a designated time period, it will automatically insert an IPtables rule into your firewall to block all access from that IP address for a specified period of time. Of course, you set all of these variables in the configuration file, which I’ll go into later on. I have yet to have a public facing server be online more than a day before a brute force attack of some sort is encountered. The best practice is to use secure passwords, with upper case, lower case, numbers and a few symbols. Never use dictionary based passwords. With effective, secure passwords it would take a very, very long time to gain access to a server by means of brute force, but it is possible. Regardless, it’s best to block these attacks from the beginning. It is all automated with Fail2Ban.

This guide assumes you have a CentOS 7 installation and have ran yum update. It requires you have root SSH access to the server.

First, you need to install the EPEL repository. Fail2Ban is not available from CentOS, with the available repositories.